GONEPOSTAL: New Espionage Malware Hijacks Outlook for Covert Attacks

Researchers at Kroll have reported a new espionage campaign deploying the GONEPOSTAL malware. This tool was uncovered in operations attributed to the group KTA007, also known as Fancy Bear, APT28, and Pawn Storm. Its architecture relies on two primary components: a DLL dropper and a disguised macro module, VbaProject.OTM, for Microsoft Outlook. Together, they transform the mail client into a covert communications channel, granting attackers persistent access to the compromised system.

The counterfeit library SSPICLI.dll masquerades as a legitimate Windows module, redirecting all function calls to the authentic library, renamed tmp7EC9.dll. As a result, applications continue to function normally, while the injected code executes PowerShell commands. These include copying the file testtemp.ini into the Outlook directory—ensuring malicious macros launch automatically with the client—as well as issuing external queries via nslookup and curl to capture usernames and victim IP addresses.

Once executed, the DLL modifies registry settings. The LoadMacroProviderOnBoot key forces Outlook to load macros at startup, the Security Level parameter is set to allow all macros, and the PONT_STRING value disables warnings about potentially unsafe content. In effect, all built-in safeguards are circumvented before Outlook even launches.

The VbaProject.OTM macro file contains the core functionality of GONEPOSTAL. Though its code is hidden by password protection and obfuscation, analysis revealed a fully featured backdoor. When Outlook is opened, configuration is initialized, and the Application_NewMailEx function begins monitoring incoming emails. Any message containing encoded commands triggers local execution. The malware supports four primary operations: executing PowerShell commands (with or without storing results), uploading files to the infected machine, and exfiltrating data to an external server.

For data transfer, GONEPOSTAL leverages Outlook itself. Command results and stolen files are split into fragments, encoded in Base64, and attached to outbound emails automatically sent to the operators’ address. Similarly, inbound attachments are reassembled into complete files. By exploiting legitimate corporate email infrastructure, this technique renders activity inconspicuous and difficult for security tools to detect.

A distinctive feature of the malware is its reliance on Living-off-the-Land (LotL) techniques. Instead of external protocols or hidden servers, it hijacks Microsoft Outlook’s native infrastructure, dramatically lowering the likelihood of detection. Analysts also noted unused code segments, hinting at potential expansion of its capabilities in future iterations.

According to Kroll, this tool represents an uncommon and highly resilient persistence mechanism. While Outlook macros have occasionally been abused in past campaigns, GONEPOSTAL remains a rare example of such an approach and poses a significant threat to organizations that rely on Outlook as their primary email client.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy